Hi,
I've the sample code bellow, and when i intentionally put the wrong credentials, i get from "ldap_err2string( rc ) the error message: "Invalid credentials".
But monitoring network traffic with wireshark, i can see that on the bindResponse packet that returns from the server, i also get a more detailed message. In my/this test case,
"errorMessage: 80090308: LdapErr: DSID-0C0903AA, comment: AcceptSecurityContext error, data 525, v1772"
attached is also an image of the wireshark showing what i mean.
Question is, is there a way i could retrieve this more detailed message?
Thanks in advance for any help Regards.
--- sample code:
if ( (ld = (LDAP *)ldap_init( pHostName, iPortNum )) == NULL ) { perror( "ldap_init failed. Reason?:" ); exit ( 1 ); }
if ( (rc=ldap_set_option( ld, LDAP_OPT_PROTOCOL_VERSION, &version)) != LDAP_SUCCESS ){ fprintf( stderr, "ldap_set_option(LDAP_OPT_PROTOCOL_VERSION): %s\n", ldap_err2string( rc ) ); exit( 1 ); }
if ( (rc=ldap_set_option(ld, LDAP_OPT_REFERRALS, LDAP_OPT_OFF)) != LDAP_SUCCESS){ fprintf( stderr, "ldap_set_option(LDAP_OPT_REFERRALS): %s\n", ldap_err2string( rc )); exit( 1 ); }
rc = ldap_simple_bind_s( ld, "auth_dn", "auth_pw" );
if ( rc != LDAP_SUCCESS ) { fprintf( stderr, "ldap_simple_bind_s() Failed: %s [%d]\n", ldap_err2string(rc), rc); ldap_unbind_s(ld); /* try unbind the failed connection anyway */ exit ( 1 ); }
On 03/08/2014 09:27 PM, Werner - Google wrote:
Hi,
I've the sample code bellow, and when i intentionally put the wrong credentials, i get from "ldap_err2string( rc ) the error message: "Invalid credentials".
But monitoring network traffic with wireshark, i can see that on the bindResponse packet that returns from the server, i also get a more detailed message. In my/this test case,
"errorMessage: 80090308: LdapErr: DSID-0C0903AA, comment: AcceptSecurityContext error, data 525, v1772"
attached is also an image of the wireshark showing what i mean.
ldap_err2string() (deprecated, BTW, like most of the functions you're using in your example code) maps an error code onto a static string. What you're looking for is the contents of the diagnosticMessage in a LDAP result. You can get it with ldap_parse_result(), but you need a LDAPMessage first.
See the client tools for an example of usage of non-deprecated functions that return the contents of the diagnosticMessage.
p.
Question is, is there a way i could retrieve this more detailed message?
Thanks in advance for any help Regards.
sample code:
if ( (ld = (LDAP *)ldap_init( pHostName, iPortNum )) == NULL ) { perror( "ldap_init failed. Reason?:" ); exit ( 1 ); }
if ( (rc=ldap_set_option( ld, LDAP_OPT_PROTOCOL_VERSION, &version)) != LDAP_SUCCESS ){ fprintf( stderr, "ldap_set_option(LDAP_OPT_PROTOCOL_VERSION): %s\n", ldap_err2string( rc ) ); exit( 1 ); }
if ( (rc=ldap_set_option(ld, LDAP_OPT_REFERRALS, LDAP_OPT_OFF)) != LDAP_SUCCESS){ fprintf( stderr, "ldap_set_option(LDAP_OPT_REFERRALS): %s\n", ldap_err2string( rc )); exit( 1 ); }
rc = ldap_simple_bind_s( ld, "auth_dn", "auth_pw" );
if ( rc != LDAP_SUCCESS ) { fprintf( stderr, "ldap_simple_bind_s() Failed: %s [%d]\n", ldap_err2string(rc), rc); ldap_unbind_s(ld); /* try unbind the failed connection anyway */ exit ( 1 ); }
On 08/03/2014, at 18:01, Pierangelo Masarati pierangelo.masarati@polimi.it wrote:
On 03/08/2014 09:27 PM, Werner - Google wrote:
Hi,
I've the sample code bellow, and when i intentionally put the wrong credentials, i get from "ldap_err2string( rc ) the error message: "Invalid credentials".
But monitoring network traffic with wireshark, i can see that on the bindResponse packet that returns from the server, i also get a more detailed message. In my/this test case,
"errorMessage: 80090308: LdapErr: DSID-0C0903AA, comment: AcceptSecurityContext error, data 525, v1772"
attached is also an image of the wireshark showing what i mean.
ldap_err2string() (deprecated, BTW, like most of the functions you're using in your example code) maps an error code onto a static string. What you're looking for is the contents of the diagnosticMessage in a LDAP result. You can get it with ldap_parse_result(), but you need a LDAPMessage first.
See the client tools for an example of usage of non-deprecated functions that return the contents of the diagnosticMessage.
p.
Hi Pierangelo, I have looking a lot at the client tools, but all of them use the asynchronous functions/metodoly (ldap_bind/ldap_search_ext()..), and the code i'm trying to fix , has it's entire logic written based on the synchronous versions of bind/search.
And i could not find a way of using ldap_parse_result in this situation. I'm probably overlooking and/or not understanding how this works correctly. If you could point me in the correct direction if it's doable with the synchronous versions, i would appreciate it much.
Thanks -wm
Question is, is there a way i could retrieve this more detailed message?
Thanks in advance for any help Regards.
sample code:
if ( (ld = (LDAP *)ldap_init( pHostName, iPortNum )) == NULL ) { perror( "ldap_init failed. Reason?:" ); exit ( 1 ); }
if ( (rc=ldap_set_option( ld, LDAP_OPT_PROTOCOL_VERSION, &version)) != LDAP_SUCCESS ){ fprintf( stderr, "ldap_set_option(LDAP_OPT_PROTOCOL_VERSION): %s\n", ldap_err2string( rc ) ); exit( 1 ); }
if ( (rc=ldap_set_option(ld, LDAP_OPT_REFERRALS, LDAP_OPT_OFF)) != LDAP_SUCCESS){ fprintf( stderr, "ldap_set_option(LDAP_OPT_REFERRALS): %s\n", ldap_err2string( rc )); exit( 1 ); }
rc = ldap_simple_bind_s( ld, "auth_dn", "auth_pw" );
if ( rc != LDAP_SUCCESS ) { fprintf( stderr, "ldap_simple_bind_s() Failed: %s [%d]\n", ldap_err2string(rc), rc); ldap_unbind_s(ld); /* try unbind the failed connection anyway */ exit ( 1 ); }
-- Pierangelo Masarati Associate Professor Dipartimento di Scienze e Tecnologie Aerospaziali Politecnico di Milano
On 03/08/2014 11:39 PM, Werner M wrote:
On 08/03/2014, at 18:01, Pierangelo Masarati pierangelo.masarati@polimi.it wrote:
On 03/08/2014 09:27 PM, Werner - Google wrote:
Hi,
I've the sample code bellow, and when i intentionally put the wrong credentials, i get from "ldap_err2string( rc ) the error message: "Invalid credentials".
But monitoring network traffic with wireshark, i can see that on the bindResponse packet that returns from the server, i also get a more detailed message. In my/this test case,
"errorMessage: 80090308: LdapErr: DSID-0C0903AA, comment: AcceptSecurityContext error, data 525, v1772"
attached is also an image of the wireshark showing what i mean.
ldap_err2string() (deprecated, BTW, like most of the functions you're using in your example code) maps an error code onto a static string. What you're looking for is the contents of the diagnosticMessage in a LDAP result. You can get it with ldap_parse_result(), but you need a LDAPMessage first.
See the client tools for an example of usage of non-deprecated functions that return the contents of the diagnosticMessage.
p.
Hi Pierangelo, I have looking a lot at the client tools, but all of them use the asynchronous functions/metodoly (ldap_bind/ldap_search_ext()..), and the code i'm trying to fix , has it's entire logic written based on the synchronous versions of bind/search.
And i could not find a way of using ldap_parse_result in this situation. I'm probably overlooking and/or not understanding how this works correctly. If you could point me in the correct direction if it's doable with the synchronous versions, i would appreciate it much.
If the LDAP handle is being used exclusively for one operation at a time (as it is presumably, since it uses synchronous operations) you can get that message using ldap_get_option() with LDAP_OPT_DIAGNOSTIC_MESSAGE after the operation completed, as already indicated by Howard.
We already pointed you in the right direction: look at the client tools, they usually do everything is worth doing in what is thought to be the right way. If you want a quick'n'dirty answer, use the synchronous calls. If you want more information, it's a lot of work to collect it using calls like ldap_get_option(), which is basically a workaround. Asynchronous calls are way much powerful. Yes, you'll probably have to redesign and then rewrite your code.
p.
Thanks -wm
Question is, is there a way i could retrieve this more detailed message?
Thanks in advance for any help Regards.
sample code:
if ( (ld = (LDAP *)ldap_init( pHostName, iPortNum )) == NULL ) { perror( "ldap_init failed. Reason?:" ); exit ( 1 ); }
if ( (rc=ldap_set_option( ld, LDAP_OPT_PROTOCOL_VERSION, &version)) != LDAP_SUCCESS ){ fprintf( stderr, "ldap_set_option(LDAP_OPT_PROTOCOL_VERSION): %s\n", ldap_err2string( rc ) ); exit( 1 ); }
if ( (rc=ldap_set_option(ld, LDAP_OPT_REFERRALS, LDAP_OPT_OFF)) != LDAP_SUCCESS){ fprintf( stderr, "ldap_set_option(LDAP_OPT_REFERRALS): %s\n", ldap_err2string( rc )); exit( 1 ); }
rc = ldap_simple_bind_s( ld, "auth_dn", "auth_pw" );
if ( rc != LDAP_SUCCESS ) { fprintf( stderr, "ldap_simple_bind_s() Failed: %s [%d]\n", ldap_err2string(rc), rc); ldap_unbind_s(ld); /* try unbind the failed connection anyway */ exit ( 1 ); }
-- Pierangelo Masarati Associate Professor Dipartimento di Scienze e Tecnologie Aerospaziali Politecnico di Milano
closing thread::
Hi P,
I would like to thank you and Howard for your help/direction and all others for the hard work on openldap. Thanx for not simply giving the code and instead instigating the investigation process.
I've got the additionally info using ldap_get_option/ LDAP_OPT_DIAGNOSTIC_MESSAGE.
will evaluate and try rewriting it using async calls. But for now, i'm very happy i got it working.
Appreciated for the patience and help. -wm
On 09/03/2014, at 05:46, Pierangelo Masarati pierangelo.masarati@polimi.it wrote:
On 03/08/2014 11:39 PM, Werner M wrote:
On 08/03/2014, at 18:01, Pierangelo Masarati pierangelo.masarati@polimi.it wrote:
On 03/08/2014 09:27 PM, Werner - Google wrote:
Hi,
I've the sample code bellow, and when i intentionally put the wrong credentials, i get from "ldap_err2string( rc ) the error message: "Invalid credentials".
But monitoring network traffic with wireshark, i can see that on the bindResponse packet that returns from the server, i also get a more detailed message. In my/this test case,
"errorMessage: 80090308: LdapErr: DSID-0C0903AA, comment: AcceptSecurityContext error, data 525, v1772"
attached is also an image of the wireshark showing what i mean.
ldap_err2string() (deprecated, BTW, like most of the functions you're using in your example code) maps an error code onto a static string. What you're looking for is the contents of the diagnosticMessage in a LDAP result. You can get it with ldap_parse_result(), but you need a LDAPMessage first.
See the client tools for an example of usage of non-deprecated functions that return the contents of the diagnosticMessage.
p.
Hi Pierangelo, I have looking a lot at the client tools, but all of them use the asynchronous functions/metodoly (ldap_bind/ldap_search_ext()..), and the code i'm trying to fix , has it's entire logic written based on the synchronous versions of bind/search.
And i could not find a way of using ldap_parse_result in this situation. I'm probably overlooking and/or not understanding how this works correctly. If you could point me in the correct direction if it's doable with the synchronous versions, i would appreciate it much.
If the LDAP handle is being used exclusively for one operation at a time (as it is presumably, since it uses synchronous operations) you can get that message using ldap_get_option() with LDAP_OPT_DIAGNOSTIC_MESSAGE after the operation completed, as already indicated by Howard.
We already pointed you in the right direction: look at the client tools, they usually do everything is worth doing in what is thought to be the right way. If you want a quick'n'dirty answer, use the synchronous calls. If you want more information, it's a lot of work to collect it using calls like ldap_get_option(), which is basically a workaround. Asynchronous calls are way much powerful. Yes, you'll probably have to redesign and then rewrite your code.
p.
Thanks -wm
Question is, is there a way i could retrieve this more detailed message?
Thanks in advance for any help Regards.
sample code:
if ( (ld = (LDAP *)ldap_init( pHostName, iPortNum )) == NULL ) { perror( "ldap_init failed. Reason?:" ); exit ( 1 ); }
if ( (rc=ldap_set_option( ld, LDAP_OPT_PROTOCOL_VERSION, &version)) != LDAP_SUCCESS ){ fprintf( stderr, "ldap_set_option(LDAP_OPT_PROTOCOL_VERSION): %s\n", ldap_err2string( rc ) ); exit( 1 ); }
if ( (rc=ldap_set_option(ld, LDAP_OPT_REFERRALS, LDAP_OPT_OFF)) != LDAP_SUCCESS){ fprintf( stderr, "ldap_set_option(LDAP_OPT_REFERRALS): %s\n", ldap_err2string( rc )); exit( 1 ); }
rc = ldap_simple_bind_s( ld, "auth_dn", "auth_pw" );
if ( rc != LDAP_SUCCESS ) { fprintf( stderr, "ldap_simple_bind_s() Failed: %s [%d]\n", ldap_err2string(rc), rc); ldap_unbind_s(ld); /* try unbind the failed connection anyway */ exit ( 1 ); }
-- Pierangelo Masarati Associate Professor Dipartimento di Scienze e Tecnologie Aerospaziali Politecnico di Milano
-- Pierangelo Masarati Associate Professor Dipartimento di Scienze e Tecnologie Aerospaziali Politecnico di Milano
Werner - Google wrote:
Hi,
I've the sample code bellow, and when i intentionally put the wrong credentials, i get from "ldap_err2string( rc ) the error message: "Invalid credentials".
Read the ldap_get_option(3), ldap_bind(3), and ldap_result(3) manpages.
But monitoring network traffic with wireshark, i can see that on the bindResponse packet that returns from the server, i also get a more detailed message. In my/this test case,
"errorMessage: 80090308: LdapErr: DSID-0C0903AA, comment: AcceptSecurityContext error, data 525, v1772"
attached is also an image of the wireshark showing what i mean.
Question is, is there a way i could retrieve this more detailed message?
Thanks in advance for any help Regards.
sample code:
if ( (ld = (LDAP *)ldap_init( pHostName, iPortNum )) == NULL ) { perror( "ldap_init failed. Reason?:" ); exit ( 1 ); }
if ( (rc=ldap_set_option( ld, LDAP_OPT_PROTOCOL_VERSION, &version)) != LDAP_SUCCESS ){ fprintf( stderr, "ldap_set_option(LDAP_OPT_PROTOCOL_VERSION): %s\n", ldap_err2string( rc ) ); exit( 1 ); }
if ( (rc=ldap_set_option(ld, LDAP_OPT_REFERRALS, LDAP_OPT_OFF)) != LDAP_SUCCESS){ fprintf( stderr, "ldap_set_option(LDAP_OPT_REFERRALS): %s\n", ldap_err2string( rc )); exit( 1 ); }
rc = ldap_simple_bind_s( ld, "auth_dn", "auth_pw" );
if ( rc != LDAP_SUCCESS ) { fprintf( stderr, "ldap_simple_bind_s() Failed: %s [%d]\n", ldap_err2string(rc), rc); ldap_unbind_s(ld); /* try unbind the failed connection anyway */ exit ( 1 ); }
On 08/03/2014, at 18:15, Howard Chu hyc@symas.com wrote:
Werner - Google wrote:
Hi,
I've the sample code bellow, and when i intentionally put the wrong credentials, i get from "ldap_err2string( rc ) the error message: "Invalid credentials".
Read the ldap_get_option(3), ldap_bind(3), and ldap_result(3) manages.
Thx for the quick reply.
I've read them many times, but I'm still unable to understand/find a way to use the ldap_result with "synchronous" function of bind/search.
If i understood the man pages correctly ldap_result is a companion to ldap_simple_bind/ldap_search_ext (asynchronous) . Is there a way of using it with the ldap_simple_bind_s()/ ldap_search_ext_s() functions? Or should/must i take the time and rewrite my entire code and find a way of doing things using the asynchronous functions?
i noted that i've not provided the library versions: I'm on ubuntu, with :
$ slapd -V @(#) $OpenLDAP: slapd (Ubuntu) (Oct 8 2013 20:51:43) $ buildd@akateko:/build/buildd/openldap-2.4.31/debian/build/servers/slapd
$ ldapsearch -VV ldapsearch: @(#) $OpenLDAP: ldapsearch (Ubuntu) (Oct 8 2013 20:50:56) $ buildd@akateko:/build/buildd/openldap-2.4.31/debian/build/clients/tools (LDAP library: OpenLDAP 20431)
sample code:
if ( (ld = (LDAP *)ldap_init( pHostName, iPortNum )) == NULL ) { perror( "ldap_init failed. Reason?:" ); exit ( 1 ); }
if ( (rc=ldap_set_option( ld, LDAP_OPT_PROTOCOL_VERSION, &version)) != LDAP_SUCCESS ){ fprintf( stderr, "ldap_set_option(LDAP_OPT_PROTOCOL_VERSION): %s\n", ldap_err2string( rc ) ); exit( 1 ); }
if ( (rc=ldap_set_option(ld, LDAP_OPT_REFERRALS, LDAP_OPT_OFF)) != LDAP_SUCCESS){ fprintf( stderr, "ldap_set_option(LDAP_OPT_REFERRALS): %s\n", ldap_err2string( rc )); exit( 1 ); }
rc = ldap_simple_bind_s( ld, "auth_dn", "auth_pw" );
if ( rc != LDAP_SUCCESS ) { fprintf( stderr, "ldap_simple_bind_s() Failed: %s [%d]\n", ldap_err2string(rc), rc); ldap_unbind_s(ld); /* try unbind the failed connection anyway */ exit ( 1 ); }
-- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
openldap-technical@openldap.org
-
Howard Chu -
Pierangelo Masarati -
Werner - Google -
Werner M